On 11 March 2014 11:22, Michael S. Tsirkin <m...@redhat.com> wrote:
> BTW I still see these warnings in the logs:
> # gpg: WARNING: This key is not certified with a trusted signature!
> # gpg: There is no indication that the signature belongs to
> # the
>
> These seem counter-productive: people get used
> to ignoring the warnings.
> A bunch of people verified my key at the latest KVM forum
> so how about importing keys from contributors
> and denying pulls where keys don't match?
That won't help with removing the warning. What gpg
is saying here is "I found this key in the keyring,
and the signature checks out, but there's no chain
of trust between the person who applied the pull
and that key". That is, I haven't signed your key.
The other kind of warning is:
# gpg: Signature made Sat 08 Mar 2014 21:26:01 GMT using RSA key ID 5872D723
# gpg: Can't check signature: public key not found
which means "I didn't find the gpg key in the keyring".
Genuinely mismatching signatures would be a gpg
error rather than a mere warning, I think.
Since we're still accepting unsigned pullrequests
I don't think this matters too much. In either case
if somebody really cares later they can attempt to
establish a chain of trust between themselves and the
submitter after the fact, I guess.
Personally I think the next step we should take would
be to get all the people currently submitting unsigned
pull requests to move over to signing them.
thanks
-- PMM
